An attacker could try to obtain valid refresh tokens by proxying requests to the authorization server. Given the assumption that the authorization server URL is well-known at development time or can at least be obtained from a well-known resource server, the attacker must utilize some kind of spoofing in order to succeed.
OAuth 2.0 Threat Model and Security Considerations (RFC6819, section 4.5.4)
This threat is considered fully mitigated if all the test cases from the following test set succeed.
Back to the threat overview